CVE-2025-43356: 
Apple Safari vulnerability analysis and mitigation

CVE-2025-43356 is a security vulnerability discovered in Apple's WebKit browser engine that affects multiple Apple operating systems and devices. The vulnerability was disclosed on September 15, 2025, and affects tvOS 26, Safari 26, iOS 18.7 and iPadOS 18.7, visionOS 26, watchOS 26, macOS Tahoe 26, iOS 26 and iPadOS 26. The vulnerability was discovered by security researcher Jaydev Ahire (Apple Support).

The vulnerability exists in WebKit's cache handling mechanism. The technical issue involves improper handling of caches that could allow websites to access sensor information without proper user consent. The vulnerability has been assigned a CVSS v3.1 Base Score of 6.5 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N. The issue is tracked in WebKit Bugzilla under ID 296153 (NVD).

The primary impact of this vulnerability is that it allows a malicious website to access device sensor information without obtaining proper user consent. This represents a significant privacy concern as it bypasses normal permission controls that protect sensitive sensor data (Apple Support).

Apple has addressed this vulnerability by improving the handling of caches in WebKit. The fix has been released in multiple software updates: tvOS 26, Safari 26, iOS 18.7 and iPadOS 18.7, visionOS 26, watchOS 26, macOS Tahoe 26, iOS 26 and iPadOS 26. Users are advised to update their devices to these latest versions to protect against this vulnerability (Apple Support).